Universally-composable privacy amplification from causality constraints 
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We consider schemes for secret key distribution which use as a resource correlations that violate 
Bell inequalities. We provide the first security proof for such schemes, according to the strongest 
notion of security, the so called universally-composable security. Our security proof does not rely on 
the validity of quantum mechanics, it solely relies on the impossibility of arbitrarily-fast signaling 
between separate physical systems. This allows for secret communication in situations where the 
participants distrust their quantum devices. 



PACS numbers: 

In an experimental set-up where a Bell inequality [1] 
is violated, one has the certainty that the outcomes of 
some local measurements are not determined beforehand. 
This limits the amount of correlations between such out- 
comes and other systems not involved in the experiment. 
It also limits the knowledge about these outcomes that 
a distant party can have. This fundamental piece of our 
understanding of physical reality can be exploited for im- 
plementing information-theoretic tasks. For instance, in 
this letter we show that a secret key generated from the 
outcomes of Bell- violating measurements is secure. This 
reasoning is independent of quantum mechanics, the only 
key assumption is the impossibility of arbitrarily-fast sig- 
naling between separate systems. 

The first scheme for generating secret key from Bell- 
violating correlations was presented in [2], and was fol- 
lowed by others [3-5] . All these schemes where presented 
with partial security proofs. The results presented in this 
letter, complemented with the ones in [6], provide a gen- 
eral security proof without assumptions (apart from no 
signaling) for all these schemes. We use the strongest se- 
curity criterion, the so-called universally-composable se- 
curity [7] , which warrants that key distribution is secure 
in any context. Our methods are very general, and can be 
adapted to other Bell inequality-based key-distribution 
schemes. 

No signaling Consider two parties, Alice and Bob, each 
having a physical system which can be measured with 
different observables. Let a{h) be the outcome when Al- 
ice(Bob)'s system is measured with one of the observables 
parametrized by x{y), with joint conditional probability 
distribution denoted by Pa,b\x.y We say that Pa,b\x,y is 
a nonsignaling distribution if the marginals depend only 
on their corresponding observables, that is Pa\x,y = Pa\x 
and Pb\x,y — Pb\y for all a,b,x,y [8] . It is clear that if one 
of these conditions is not satisfied, then arbitrarily-fast 
signaling is possible. 

Nonlocality The distributions that can be written as 

Pa,b\x,y — J2x-P>^P'a\x,xPb\y,X (1) 

are called local, and satisfy all Bell inequalities [8]. In 



the binary case (a, b,x,y E {0, 1}) all Bell inequalities 
are equivalent to the CHSH inequality [9] . For what fol- 
lows, it is convenient to write the CHSH inequality as 
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contains the coefficients of the inequality, and the vector 



\P 



a,b\x,y/ 
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A,0|1,1 -Pl,l|l,l 



(3) 



contains the probabilities for all experimental settings. 
[We arrange the components of these vectors in a ta- 
ble for the sake of clarity.] Notice that in this form, 
the lower the quantity {C}iSii\Pa_b\x,y) the larger the 
violation. The distribution attaining maximal viola- 
tion {{C}iSU\Pa,^b\x.,y) = 1/V2) is the so-called PR-box 
[10], which can be considered the maximally nonlo- 
cal (nonsignaling) distribution. The correlations gener- 
ated by measuring quantum systems are constrained by 
Cirel'son's bound (CHSH|P„ b,^ ;,) > 2-^/'^3 - 1 w 1.121 
[11]. 

Privacy amplification (PA) is the procedure by which 
a partially secret iVi-bit string a (the raw key) is trans- 
formed into a highly-secret TVg-bit string k (the secret 
key) [12]. Usually, the secret key is shorter than the raw 
key (TVs < A^r), which is the price for the gain in privacy. 
The function implementing this transformation h{a) = k 
is called hash function. It is usually the case that the 
hash function has to be generated randomly after the 
raw key a has been obtained, but in our scheme, h is 
fixed from the beginning and known to everybody, in- 
cluding the eavesdropper (Eve). An ideal secret key is a 
uniformly-distributed random variable k which is uncor- 
related with the rest of the universe (Eve). The informa- 
tion held by Eve is encoded in the state of a physical sys- 
tem, which can be measured with one of many different 



observables, parametrized by z. If -Pe|z is the distribution 
for the outcomes when this system is measured with the 
observable z, then the distribution of an ideal secret key 
Pe\z- Usually, the real secret key gener- 



is P'-^^' = 2- 



N^ 



The following result establishes the security of Al- 
ice's key k — /i(a) when a is generated by measuring 
iVr of Alice's systems with the observable x ^ 0. Of 
course, it is necessary that the correlations shared by Al- 



atcd by PA is not guaranteed to be an ideal secret key, ice and Bob Pa,b|x,y have a sufficiently small value of 
"k,e|z 7^ 2 "Peiz- (CHSH| '|Pa,b|x,y), Or in othcr words, are sufficiently 



e\z • 

In general, PA constitutes a sub-routine within crypto- 
graphic protocols, which use secret key as an ingredient 
(an example being the encryption of messages). It is 
desirable that the result obtained when any of these pro- 
tocols is fed with the real secret key, is the same as if fed 
with an ideal secret key, with arbitrarily high probabil- 
ity. If this is the case, then we say that PA is universally 
composable, because it is secure in any context. Clearly, 
this happens if the real and ideal secret keys are indistin- 
guishable. 

The most general strategy for distinguishing the bipar- 
tite states Pk,e|z (the real key) and 2~^=Pg|2 (the ideal 
key) consists of performing joint measurements on the 
key and Eve's system. The no signaling formalism alone 
does not say anything about joint measurements. How- 
ever, the key is a classical system which can be observed 
without disturbing the global state. Therefore, the most 
general strategy is to read k and chose an observable z 
depending on its value. It is well known that the proba- 
bility of guessing correctly with the optimal strategy is 



J'corrcct 



lE^f^El^k,e|.-2-^^^e| 



(4) 



Notice that the maximization on z depends on k. When 
(4) is close to 1/2, the optimal strategy for distinguishing 
the real from the ideal key is as good as a random guess — 
this is the security condition that wc consider. 

In key distribution from BcU-violating correlations, Al- 
ice has A^ systems. Bob has N systems and, without 
loss of generality. Eve has one "big" system, jointly dis- 
tributed according to an arbitrary (unknown) Pa,b,e|x.y,z- 
[Bold symbols correspond to bit-string variables.] It is 
usually assumed that this is a (2A^-|- l)-partite nonsignal- 
ing distribution [6] {i.e. the marginals only depend on 
their corresponding observables), however, we are able 
to proceed with a weaker assumption. If the secret key is 
a function of Alice's string k = h{a.), then Bob's N sys- 
tems can be considered as a single "big" system, that is, 
no-signaling within Bob's systems is not required in our 
proof. We refer to this assumption as "(Af + 2)-partitc no 
signaling". According to [14], the even weaker assump- 
tion of 3-partite no signaling (where Alice's N systems 
are also considered as single one) is insufficient to war- 
rant security. Of these N pairs of systems, N,- {N^ < N) 
are used for generating the raw key, and the rest are used 
to estimate how much nonlocality is shared by Alice and 
Bob [6]. In the large- A^ limit, N^ is equal to N up to 
terms sublinear in N — this is denoted by N^ « N. 



(CHSH| 

nonlocal. However, the goal of key distribution is that 
both, Alice and Bob, hold the secret key k. Later we 
address this problem. 

Main result For almost all functions h : {0, 1}^' -^ 
{0, l}^'" and any {N^ + 2)-partite nonsignaling distribu- 
tion Pa,b.e|x,y.z7 ttic random variable k = h{a) satisfies 



^max;^ |Pk,e|x=0,z - 2^'^=Pe 



< ^2^^=+^ (CHSHI^^IP 



a,b|x,y/ 



(5) 



where is the zero vector. 



Here and in the rest of the letter we say that "almost all 
functions have a particular property" if when randomly 
picking a function h with uniform distribution over all 
functions h : {0, 1}^"^ -^ {0, 1}^= then the probability 
that h docs not have that particular property is lower 
than 2exp(5A^i. — 2^/^/4). The above result is also true 
for any x 7^ 0, but for simplicity we only consider the 
case X = 0, which is sufficient for key distribution. 

When the given correlations Pa,b|x.y a-re generated by 
measuring quantum systems Cirel'son's bound implies 
(CHSH| '|Pa,b|x,y) > I7 which prevents the right-hand 
side of (5) to be small. Hence, this simple scheme does 
not work with quantum correlations. This problem is 
solved by the BHK protocol, which yields large secure 
secret keys. The BHK protocol is analyzed below. Now, 
we proceed to prove the main result, and start by stating 
two lemmas which are proven in the Appendix. 

Lemma 1 For any {N^ + l)-partite nonsignaling dis- 



tribution Pa.b|x.y we have Pa|x= 

|ra) = |7ai) «) • • • «) l-faN,) and 
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Lemma 2 For any given function h : {0, 1}^' -^ 
{0, 1}^' and any k € {0, 1}^% define A = h-^(k) and 
|F_4^) = X^ae^ l^a)- Almost all functions h satisfy 



|2^»|F^J-4-^'|ls)|dV2" 



■n,+vn; 



CHSH 



,«lAfr 



(6) 



for all k, where the symbol | • | denotes entry-wise absolute 
value, the symbol :< denotes entry-wise less or equal than, 
and I Is) € M.^^ ' has all entries equal to one. 



Proof of the main result Let h be any of the functions 
which satisfies (6), and for each k, let |r_4^) be the vector 
defined in Lemma 2. Using Pk|x=o = (r^kl^a,b|x,y)i the 
convexity of the absolute-value function, the inequality 
(6) , and the fact that the marginal for a, b cannot depend 
on z, we have 



^max^P, 



e\z 



^k|x^0,e,;2 



< ^max^P,|, (r^J-2 



■>-w. 



-N.,-2N,^ 
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does not 



which is precisely (5). 

Error correction and public communication 
ally the case that the given distribution Pa,b|x,y 
provide perfect correlations between a and b. Hence, if a 
is the raw key, Bob has to correct the errors in b before 
applying the hash function h. This can be done by Alice 
publishing some information about a, and Bob using it 
for correcting his errors. This is a standard procedure 
in quantum key distribution, which is detailed in [6] or 
[16]. Other procedures within the key distribution pro- 
tocol may also require public communication. Let the 
TVc-bit string c be all the information about a that Alice 
has published during the protocol. Because c is a func- 
tion of a, we can still use the main result (5) in this new 
setting if we let both, k and c, to be the outcomes of the 
function h : {0, 1}^'^ -^ {0, 1}^- x {0, 1}^=. However, k 
and c play different roles: k is the secret key and c is part 
of the information owned by Eve. Hence, the extension 
of the security condition (5) to the present setting is 

^max^ \Pk^c,e\z -S^^^Pcei^l 



< 2\/2 



"^^"^^^ (CHSHr-lP.,„.,,) , (8) 



where here and in the rest, the conditioning on x = is 
implicit. This inequality is obtained by taking (5) and 
using the triangular inequality with the third distribution 
2-iVc-Wsp^l^^ The secret key is secure if the right-hand 
side of (8) can be made arbitrarily small (as N^ grows). 
This happens when the length of the final key is 
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(9) 



up to sub-linear terms. 



Parameter estimation In the unconditional-security 
scenario, the honest parties are given N pairs of systems 
in a completely unknown global distribution. To perform 
a key distribution protocol, and in particular to set the 
numbers A's and A'c, they need to bound some quantities, 
like for instance (CHSHl*^ |-Pa,b|x,y)- In order to do so, 
they invest some of the given pairs to obtain information 



about the distribution Pa.b|x,y of the A^r remaining pairs. 
More precisely, they compute the bounds for Ns,Nc for 
another distribution P' ^ «i^ „ ^i which is warranted to 
be close to the real (unknown) one iJ2a,h.e l-Pa.b.e|x,y.z ~ 
^a,b,e|x.y,z| ^ ^ for all x,y). This is explained with full 
detail in [6]. It is shown in [15] that 

^max;^ |Pk,c.e|. - S-'^-Pe.d.l (10) 

k,c e 

< 2V2" 



■"-"^^^(CHSH|--lP;„^,,) + 2e, 



which provides the security bound for the real (unknown) 
distribution in terms of properties of any e-close primed 
distribution. 

The BHK protocol introduced in [2] and analyzed in 
[5, 6] gives a rate of one secret bit per singlet (|00)-|-|11)). 
It is remarkable that this protocol, where the adversary 
is only constrained by no signaling, gives the same rate 
as if the adversary is constrained by no signaling plus 
quantum mechanics. The essential novelty of the BHK 
protocol is to measure each system with m > 2 observ- 
ables, a; e {1, . . . m}. In this case, instead of the CHSH, 
we use the Braunstein-Caves Bell inequality [17], which 
can be expressed as {BC\Pa^b\x.y) > v2, with 
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(11) 



where a = 2m-t-l, and the empty entries represent zeroes. 
Notice that for m = 2 this is equivalent to the CHSH 
inequality (2). Following the same methods as above, 
one can prove inequalities analogous to (5), (8), (10), and 
obtain a key rate as in (9) but with the Braunstein-Caves 
Bell inequality 
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a,b|x,y/ 



-A, 



(12) 



This rate formula can be improved by modifying |BC) in 
the following way: take the expression (11) and substi- 
tute a by Vl + 4to2. The security of this rate will be 
proven somewhere else. 

If Alice and Bob share singlets or something close to 
it, in the estimation process they measure them with all 
the observables corresponding to points in the equator of 
the block sphere (see [2, 5, 6] for details), the generated 



correlations have (BC| '|Pa,b|x,y) ~ ^/V^^ for large m. 
The raw keys a, b are generated by measuring all systems 
with the same observable a: = 0, then a = b and Nc ~ 0. 
Formula (12) tells that the secret key rate is one secret 
bit per singlet: TVg « A^r- This rate cannot be improved 
because it is also the optimal rate achievable against a 
much weaker (quantum) adversary. 

Conclusions We show, for the first time, that key 
distribution from Bell- violating correlations is secure ac- 
cording to the strongest notion of security, the so called 
univcrsally-composable security. This provides the pos- 
sibility of implementing secure cryptographic protocols 
with untrusted quantum devices [3, 18]. In this model, 
Alice and Bob have to trust some of their apparatuses 
(classical computers and the random number generator), 
but can distrust the devices for preparing and measur- 
ing the quantum systems sent through the channel. The 
efficiency rate is slightly lower than the one obtained in 
standard quantum key distribution, where trusting the 
quantum devices is necessary. 

Interestingly, in our scheme. Bell-inequality violation 
plays the same role as the min entropy [16] does in stan- 
dard quantum key distribution. Specifically, equations 
(5) and (9) have a quantum counterpart, obtained with 
the exchange 



log2 



(CHSHI^^IR 



a,b|x,y/ 



i/„,i„(a|e) . (13) 



A novelty of our scheme is that randomness extraction, 
or equivalently PA, can be performed with a constant 
hash function. This contrasts with previous methods for 
extracting randomness (two- universal hashing [12], ex- 
tractors, etc.), which need random functions. However, 
we still lack an explicit construction for one of such hash 
functions. 
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APPENDIX 



Here we show the two lemmas stated above. 

Proof of Lemma 1. Here we use the same tools as in the 
proof of Lemma 16 from [6]. By definition we can write 

^a|x=0 = (rL|/^a,b|x,y), whcrC IF^) ^ [t^^) ® • • • \i,^) 

and 
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The fact that Bob (when considered as a single system) 
cannot signal to Alice can be expressed as -Pa|x.y = 
-fa|x,y' for any y, y'. This imphes that -Pa|x=o = 
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The fact that each of the N,- Alice's systems cannot sig- 
nal to the rest, together with Bob's systems, implies the 
statement of the lemma. D 

Proof of Lemma 2 Within this proof, the entries of any 
vector 1$) G R^® ^ are labeled as ^(a, b,x, y). Also, for 
any pair of bit-strings x, y: (i) the string x • y is the bit- 
wise product, (ii) the string x0y is the bit-wise xor, and 
(iii) the integer ||x|| is the number of ones in x. Using this 
notation we can write the entries of the vector |GHSH) 



as CHSH®^'(a,b,x,y) = 2-5^'/25ll'^®'^®^-y|l. Next we 
prove inequality (6) for a given k and a given entry 
(ao,bo,Xo,yo)- Let V^ = I ii the string a belongs to 
Ak, and Va = otherwise. If we pick a random function 
h with uniform distribution over the set of all functions, 
then the random variables V^ are independent and dis- 
tributed according to Prob{V^ = 1} = 2^^% for all a. 
Let ^a = ra(ao,bo,xo,yo), M = ||ao® bo©xo -yoU, and 
note that |/j.a| < 5'^8'^' for all a. Following Bernstein's 
contruction, for any J and /3 > we have 

Prob J ^ MaT4 > J i 

< Prob|e-^"'+^2:e,A'^^^ > l| 

a 

< e-^''ll[l + 2~^^{p^,^ + p'^^l)] (14) 

a 

< exp[ - /3J2-^=Ea(/3Ma + /^Vi)] 

where in (14) we need 1/35*^^8"^' | < 1. In this step we 



have used the expansion e^ < 1 + x + x'^, which holds if 
X < 1. With a little work one obtains X^aA'a ~ 4^^' 
and EaA^i ^ 2-'^^-5^'^'' . Substituting this two ex- 
pressions, J = 2-^=-2JV, ^ 2<'Vn;-n,-n,)/2 4-iv, 5M ^^d 



ProbjEaMaVa > 2-^^-^^, ^ 3 ( yTV^- iV, - Ar„ ) / 2 ^-N^ ^M ^^ 



< e 



'/i 



Note that the chosen value for (3 satisfies the required 
constraint. The expression obtained when replacing ">" 
with "<" above, can be derived in a similar way. Then 



2^=r^Jao,bo,xo,yo)-4- 



-NA 



> \/2 



N^+^Wr 



CHSH®^^'(ao,bo,xo,yo) 



(15) 



holds with probability 2 e^^ '/''. However, we want this 
to not hold for all k and all entries (a, b,x, y). The 
number of different values of k is 2^^* , and the number of 
different entries is 16^', then the probability for (6) being 
not true is upper-bounded by 2exp(5A'r — 2^'^^/4). D 



